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(57) ABSTRACT 

The invention provides a method and system for switching 
in networks responsive to message flow patterns. A message 
"flow" is defined to comprise a set of packets to be trans- 
mitted between a particular source and a particular destina- 
tion. When routers in a network identify a new message 
flow, they determine the proper processing for packets in 
that message flow and cache that information for that 
message flow. Thereafter, when routers in a network identify 
a packet which is part of that message flow, they process that 
packet according to the proper processing for packets in that 
message flow. The proper processing may include a deter- 
mination of a destination port for routing those packets and 
a determination of whether access control permits routing 
those packets to their indicated destination. 

33 Claims, 5 Drawing Sheets 
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NETWORK FLOW SWITCHING AND FLOW 
DATA EXPORT 

This is a continuation of application Ser. No. 08/655,429, 
filed May 28,1996. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates to network switching and data 
export responsive to message flow patterns. 

2. Description of Related Art 

In computer networks, it commonly occurs that message 
traffic between a particular source and a particular destina- 
tion will continue for a time with unchanged routing or 
switching parameters. For example, when using the file- 
transfer protocol "FTP' there is substantial message traffic 
between the file's source location and the file's destination 
location, comprising the transfer of many packets which 
have similar headers, differing in the actual data which is 
transmitted. During the time when message traffic continues, 
routing and switching devices receiving packets comprising 
that message traffic must examine those packets and deter- 
mine the processing thereof. 

One problem which has arisen in the art is that processing 
demands on routing and switching devices continue to grow 
with increased network demand. It continues to be advan- 
tageous to provide techniques for processing packets more 
quickly. This problem has been exacerbated by addition of 
more complex forms of processing, such as the use of access 
control lists. 

It would therefore be advantageous to provide techniques 
in which the amount of processing required for any indi- 
vidual packet could be reduced. With inventive techniques 
described herein, information about message flow patterns is 
used to identify packets for which processing has already 
been determined, and therefore to process those packets 
without having to re-determine the same processing. The 
amount of processing required for any individual packet is 
therefore reduced. 

Information about message flow patterns would also be 
valuable for providing information about use of the network, 
and could be used for a variety of purposes by network 
administrators, routing devices, service providers, and users. 

Accordingly, it would be advantageous to provide a 
technique for network switching and data export responsive 
to message flow patterns. 

SUMMARY OF THE INVENTION 

The invention provides a method and system for switch- 
ing in networks responsive to message flow patterns. A 
message "flow" is defined to comprise a set of packets to be 
transmitted between a particular source and a particular 
destination. When routers in a network identify a new 
message flow, they determine the proper processing for 
packets in that messageflow and cache that information for 
that message flow. Thereafter, when routers in a network 
identify a packet which is part of that message flow, they 
process that packet according to the proper processing for 
packets in that message flow. The proper processing may 
induce a determination of a destination port for routing those 
packets and a determination of whether access control 
permits routing those packets to their indicated destination. 

In another aspect of the invention, information about 
message flow patterns is collected, responsive to identified 
message flows and their packets. The collected information 
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is reported to devices on the network. The collected infor- 
mation is used for a variety of purposes, including: to 
diagnose actual or potential network problems, to determine 
patterns of usage by date and time or by location, to 

5 determine which services and which users use a relatively 
larger or smaller amount of network resources, to determine 
which services are accessed by particular users, to determine 
which users access particular services, or to determine usage 
which falls within selected parameters (such as: access 

10 during particular dates or times, access to prohibited 
services, excessive access to particular services, excessive 
use of network resources, or lack of proper access). 

BRIEF DESCRIPTION OF THE DRAWINGS 

15 FIG. 1 shows a network in which routing responsive to 
message flow patterns is performed. 

FIG. 2 shows a method for routing in networks responsive 
to message flow patterns. 
20 FIG. 3 shows data structures for use with a method for 
routing in networks responsive to message flow patterns. 

FIG. 4 shows an IP address cache for use with a method 
for routing in networks responsive to message flow patterns. 
FIG. 5 shows a method for collecting and reporting 
25 information about message flow patterns. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

30 In the following description, a preferred embodiment of 
the invention is described with regard to preferred process 
steps and data structures. However, those skilled in the art 
would recognize, after perusal of this application, that 
embodiments of the invention may be implemented using a 

35 set of general purpose computers operating under program 
control, and that modification of a set of general purpose 
computers to implement the process steps and data struc- 
tures described herein would not require undue invention. 

40 Message Flows 

FIG. 1 shows a network in which routing responsive to 
message flow patterns is performed. 
A network 100 includes at least one communication link 

45 110, at least one source device 120, at least one destination 
device 130, and at least one routing device 140. The routing 
device 140 is disposed for receiving a set of packets 150 
from the source device 120 and routing them to the desti- 
nation device 130. 

50 The communication link 110 may comprise any form of 
physical media layer, such as ethernet, FDDI, or HDLC 
serial link. 

The routing device 140 comprises a routing processor for 
performing the process steps described herein, and may 

55 include specific hardware constructed or programmed per- 
forming the process steps described herein, a general pur- 
pose processor operating under program control, or some 
combination thereof. 
A message flow 160 consists of a unidirectional stream, of 

60 packets 150 to be transmitted between particular pairs of 
transport service access points (thus, network-layer 
addresses and port numbers). In a broad sense, a message 
flow 160 thus refers to a communication "circuit" between 
communication end-points. In a preferred embodiment, a 

65 message flow 160 is defined by a network-layer address for 
a particular source device 120, a particular port number at 
the source device 120, a network-layer address for a par- 
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ticular destination device 130, a particular port number at the type. Responsive to this set of information, the routing 
destination device 130, and a particular transmission proto- device 140 determines a flow key 310 (described with 
col type. For example, the transmission protocol type may reference to FIG. 3) for the message flow 160, 
identify a known transmission protocol, such as UDP, TCP, At a step 223, the routing device 140 performs a lookup 
ICMP, or IGMP (internet group management protocol). s in a flow cache for the identified message flow 160. If the 
In a preferred embodiment for use with a network of lookup is unsuccessful, the identified message flow 160 is a 
networks (an "internet"), the particular source device 120 is " new " message flow 160, and the routing device 140 con- 
identified by its IP (internet protocol) address. The particular ^ ^ti^ l °°^P 15 Sam f M \ Sf 
port number at the source device 120 is identified by either ld ™f cd m t essa f "0 is an old message flow 160, 
a port number which is specific to a particular process, or by io an ? the muting device 146 continues with the step 225. 
a standard port number for the particular transmission pro- In a P^red embodiment, the routing .device 140 -deter- 
tocol type. For example, a standard port number for the TCP mmes f a ta * le Responsive to the flow key 310. This 
4 i 4 • * j A j j ^ • n . TTTX „ aspect or the step 223 is described in further detail with 
protocol type is 6 and a standard port number for the UDP re gard to FIG 3 

protocol type is 17. Other protocols which may have stan- M ^ ^ ^ deyice ^ ^ Qew 

dard port numbers inc hide the FTP protocol, the TELNET 15 ^ ^ flow P cach ; ^ routin > device 140 determiDes prope y r 

protoco , an internet telephone protocol, or an internet video treatment of packets 150 in the message flow 160 and enters 

protocol such as the "CUSeeMe protocol; these protocols MoasaSion rc g ar ding such proper treatment in a data struc- 

are known in the art of networking. Similarly, the particular ture pointed to by the new entry in the flow cache. In a 

destination device 130 is identified by its IP (internet preferred embodiment, the routing device 140 determines 

protocol) address; the particular port number at the destina- 20 me p roper treatment by performing a lookup in an IP address 

tion device 130 is identified by either a port number which cache as shown in FIG. 4. 

is specific to a particular process, or a standard port number In a preferred embodiment, the proper treatment of pack- 

for the particular transmission protocol type. cls 150 m the message flow 160 includes treatment with 

It will be clear to those skilled in the art, after perusing regard to switching (thus, the routing device 140 determines 

this application, that the concept of a message flow is quite 25 an output port for switching packets 150 in the message flow 

broad, and encompasses a wide variety of possible altema- 160), with regard to access control (thus, the routing device 

fives within the scope and spirit of the invention. For 140 determines whether packets 150 in the message flow 

example, in alternative embodiments, a message flow may 160 meet the requirements of access control, as defined by 

be bi-directional instead of unidirectional, a message flow access control lists in force at the routing device 140), with 

may be identified at a different protocol layer level than that 30 regard to accounting (thus, the routing device 140 creates an 

of transport service access points, or a message flow may be accounting record for the message flow 160), with regard to 

identified responsive to other factors. These other factors encryption (thus, the routing device 140 determines encryp- 

may include one or more of the following: information in tion treatment for packets 150 in the message flow 160), and 

packet headers, packet length, time of packet transmission, any special treatment for packets 150 in the message flow 

or routing conditions on the network (such as relative 35 1 60. 

network congestion or administrative policies with regard to [ n a preferred embodiment, the routing device 140 per- 

routing and transmission). forms any special processing for new message flows 160 at 

Network Flow Switching this . tim ^ Fot ^™P le '. ™ ° ne P referred <f bodiment, the 

° routing device 140 requires that the source device 120 or the 

FIG. 2 shows a method for routing in networks responsive 40 destination device 130 must authenticate the message flow 

to message flow patterns. 160. In that case, the routing device 140 transmits one or 

In broad overview, the method for routing in networks more packets 150 to the source device 120 or the destination 

responsive to message flow patterns comprises two parts. In device 130 to request information (such as a user identifier 

a first part, the routing device 140 builds and uses a flow and a password) to authenticate the new message flow 160, 

cache (described in further detail with regard to FIG. 3), in and receives one or more packets 150 comprising the 

which routing information to be used for packets 150 in each authentication information. This technique could be useful 

particular message flow 160 is recorded and from which for implementing security "firewalls" and other authentica- 

such routing information is retrieved for use. In a second tion systems. 

part, the routing device 140 maintains the flow cache, such 5Q Thereafter, the routing device 140 proceeds with the step 

as by removing entries for message flows 160 which are no 225, using the information from the new entry in the flow 

longer considered valid. cache, just as if the identified message flow 160 were an 

A method 200 for routing in networks responsive to "old" message flow 160 and the lookup in a flow cache had 

message flow patterns is performed by the routing device been successful. 

140. 5S At a step 225, the routing device 140 retrieves routing 

At a flow point 210, the routing device 140 is disposed for information from the entry in the flow cache for the iden- 

building and using the flow cache. tified message flow 160. 

At a step 221, the routing device 140 receives a packet In a preferred embodiment, the entry in the flow cache 

150. includes a pointer to a rewrite function for at least part of a 

At a step 222, the routing device 140 identifies a message 60 header for the packet 150. If this pointer is non-null, the 

flow 160 for the packet 150. In a preferred embodiment, the routing device 140 invokes the rewrite function to alter the 

routing device 140 examines a header for the packet 150 and header for the packet 150. 

identifies the IP address for the source device 120, the IP At a step 226, the routing device 140 routes the packet 150 

address for the destination device 130, and the protocol type responsive to the routing information retrieved at the step 

for the packet 150. The routing device 140 determines the 65 225. 

port number for the source device 120 and the port number Thus, in a preferred embodiment, the routing device 140 

for the destination device 130 responsive to the protocol does not separately determine, for each packet 150 in the 
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message flow 160, the information stored in the entry in the 
flow cache. Rather, when routing a packet 150 in the 
message flow 160, the routing device 140 reads the infor- 
mation from the entry in the flow cache and treats the packet 
150 according to the information in the entry in the flow 5 
cache. 

Thus, in a preferred embodiment, the routing device 140 
routes the packet 150 to an output port, determines whether 
access is allowed for the packet 150, determines encryption 
treatment for the packet 150, and performs any special 10 
treatment for the packet 150, all responsive to information in 
the entry in the flow cache. 

In a preferred embodiment, the routing device 140 also 
enters accounting information in the entry in the flow cache 
for the packet 150. When routing each packet 150 in the 
message flow 160, the routing device 140 records the 15 
cumulative number of packets 150 and the cumulative 
number of bytes for the message flow 160. 

Because the routing device 140 processes each packet 150 
in the message flow 160 responsive to the entry for the 
message flow 160 in the flow cache, the routing device 140 20 
is able to implement administrative policies which are 
designated for each message flow 160 rather than for each 
packet 150. For example, the routing device 140 is able to 
reserve specific amounts of bandwidth for particular mes- 
sage flows 160 and to queue packets 150 for transmission 25 
responsive to the bandwidth reserved for their particular 
message flows 160. 

Because the routing device 140 is able to associate each 
packet 150 with a particular message flow 160 and to 3Q 
associate each message flow 160 with particular network- 
layer source and destination addresses, the routing device 
140 is able to associate network usage with particular work 
stations (and therefore with particular users) or with par- 
ticular services available on the network. This can be used ^ 
for accounting purposes, for enforcing administrative 
policies, or for providing usage information to interested 
parties. 

For a first example, the routing device 140 is able to 
monitor and provide usage information regarding access 4Q 
using the HTTP protocol to world wide web pages at 
particular sites. 

For a second example, the routing device 140 is able to 
monitor usage information regarding relative use of network 
resources, and to give priority to those message flows 160 45 
which use relatively fewer network resources. This can 
occur when a first message flow 160 is using a relatively 
low-bandwidth transmission channel (such as a 28.8 kilobits 
per second modem transmission channel) and when a second 
message flow 160 is using a relatively high-bandwidth 50 
transmission channel (such as a T-l transmission line). 

At a flow point 230, the routing device 140 is disposed for 
maintaining the flow cache. 

At a step 241, the routing device 140 examines each entry 
in the flow cache and compares a current time with a last 55 
time a packet 150 was routed using that particular entry. If 
the difference exceeds a first selected timeout, the message 
flow 160 represented by that entry is considered to have 
expired due to nonuse and thus to no longer be valid. 

In a preferred embodiment, the routing device 140 also 60 
examines the entry in the flow cache and compares a current 
time with a first time a packet 150 was routed using that 
particular entry. If the difference exceeds a second selected 
timeout, the message flow 160 represented by that entry is 
considered to have expired due to age and thus to no longer 65 
be valid. The second selected timeout is preferably about 
one minute. 
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Expiring message flows 160 due to age artificially 
requires that a new message flow 160 must be created for the 
next packet 150 in the same communication session repre- 
sented by the old message flow 160 which was expired. 
However, it is considered preferable to do so because it 
allows information to be collected and reported about mes- 
sage flows 160 without having to wait for those message 
flows 160 to expire from nonuse. For example, a multiple- 
broadcast communication session could reasonably last well 
beyond the time message flows 160 are expired for age, and 
if not so expired would mean that information about network 
usage would not account for significant network usage. 

In a preferred embodiment, the routing device 140 also 
examines the entry in the flow cache and determines if the 
"next hop" information has changed. If so, the message flow 
160 is expired due to changed conditions. Other changed 
conditions which might cause a message flow 160 to be 
expired include changes in access control lists or other 
changes which might affect the proper treatment of packets 
150 in the message flow 160. The routing device 140 also 
expires entries in the flow cache on a least-recently-used 
basis if the flow cache becomes too full. 

If the message flow 160 is still valid, the routing device 
140 continues with the next entry in the flow cache until all 
entries have been examined. If the message flow 160 is no 
longer valid, the routing device 140 continues with the step 
242. 

At a step 242, the routing device 140 collects historical 
information about the message flow 160 from the entry in 
the flow cache, and deletes the entry. 

Flow Cache 

FIG. 3 shows data structures for use with a method for 
routing in networks responsive to message flow patterns. 

A flow cache 300 comprises a memory which associates 
flow keys 310 with information about message flows 160 
identified by those flow keys 310. The flow cache 300 
includes a set of buckets 301. Each bucket 301 includes a 
linked list of entries 302. Each entry 302 includes informa- 
tion about a particular message flow 160, including routing, 
access control, accounting, special treatment for packets 150 
in that particular message flow 160, and a pointer to infor- 
mation about treatment of packets 150 to the destination 
device 130 for that message flow 160. 

In a preferred embodiment, the flow cache 300 includes a 
relatively large number of buckets 301 (preferably about 
16,384 buckets 301), so as to minimize the number of entries 
302 per bucket 301 and thus so as to minimize the number 
of memory accesses per entry 302. Each bucket 301 com- 
prises a four-byte pointer to a linked list of entries 302. The 
linked list preferably includes only about one or two entries 
302 at the most. 

In a preferred embodiment, each entry 302 includes a set 
of routing information, a set of access control information, 
a set of special treatment information, and a set of account- 
ing information, for packets 150 in the message flow 160. 

The routing information comprises the output port for 
routing packets 150 in the message flow 160. 

The access control information comprises whether access 
is permitted for packets 150 in the message flow 160. 

The accounting information comprises a time stamp for 
the first packet 150 in the message flow 160, a time stamp 
for the most recent packet 150 in the message flow 160, a 
cumulative count for the number of packets 150 in the 
message flow 160, and a cumulative count for the number of 
bytes 150 in the message flow 160. 
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IP Address Cache 

FIG. 4 shows an IP address cache for use with a method 
for routing in networks responsive to message flow patterns. 

An IP address cache 400 comprises a tree having a root 
node 410, a plurality of inferior nodes 410, and a plurality 
of leaf data structures 420. 

Each node 410 comprises a node/leaf indicator 411 and an 
array 412 of pointers 413. 

The node/leaf indicator 411 indicates whether the node 10 
410 is a node 410 or a leaf data structure 420; for nodes 410 
it is set to a "node" value, while for leaf data structures 420 
it is set to a "leaf value. 

The array 412 has room for exactly 256 pointers 413; 
thus, the IP address cache 400 comprises an M-trie with a J5 
branching width of 256 at each level. M-tries are known in 
the art of tree structures. IP addresses comprise four bytes, 
each having eight bits and therefore 256 possible values. 
Thus, each possible IP address can be stored in the IP 
address cache 400 using at most four pointers 413. 

The inventors have discovered that IP addresses in actual 20 
use are unexpectedly clustered, so that the size of the IP 
address cache 400 is substantially less, by a factor of about 
five to a factor of about ten, than would be expected for a set 
of randomly generated four-byte IP addresses. 

Each pointer 413 represents a subtree of the IP address 25 
cache 400 for its particular location in the array 412. Thus, 
for the root node 410, the pointer 413 at location 3 represents 
IP addresses having the form 3 xxx.xxx.xxx, where "xxx" 
represents any possible value from zero to 255, Similarly, in 
a sub-tree for IP addresses having the form 3.xxx.xxx.xxx, 30 
the pointer 413 at location 141 represents IP addresses 
having the form 3.141 .xxx.xxx. Similarly, in a subtree for IP 
addresses having the form 3.1 41. xxx.xxx, the pointer 413 at 
location 59 represents IP addresses having the form 
3. 141. 59 .xxx. Similarly, in a sub -tree for IP addresses hav- 35 
ing the form 3.141.59.xxx, the pointer 413 at location 26 
represents the IP address 3.141.59.26. 

Each pointer 413 is either null, to indicate that there are 
no IP addresses for the indicated subtree, or points to an 
inferior node 410 or leaf data structure 420. A least signifi- 40 
cant bit of each pointer 413 is reserved to indicate the type 
of the pointed-to structure; that is, whether the pointed-to 
structure is a node 410 or a leaf data structure 420. In a 
preferred embodiment where pointers 413 must identify an 
address which is aligned on a four-byte boundary, the two 
least significant bits of each pointer 413 are unused for 45 
addressing, and reserving the least significant bit for this 
purpose does not reduce the scope of the pointer 413. 

Each leaf data structure comprises information about the 
IP address, stored in the IP address cache 400. In a preferred 
embodiment this information includes the proper processing 50 
for packets 150 addressed to that IP address, such as a 
determination of a destination port for routing those packets 
and a determination of whether access control permits 
routing those packets to their indicated destination. 

55 

Flow Data Export 

FIG. 5 shows a method for collecting and reporting 
information about message flow patterns. 

A method 500 for collecting and reporting information 
about message flow patterns is performed by the routing 60 
device 140. 

At a flow point 510, the routing device 140 is disposed for 
obtaining information about a message flow 160. For 
example, in a preferred embodiment, as noted herein, the 
routing device 140 obtains historical information about a 65 
message flow 160 in the step 242. In alternative 
embodiments, the routing device 140 may obtain informa- 
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tion about message flows 160, either in addition or instead, 
by occasional review of entries in the flow cache, or by 
directly monitoring packets 150 in message flows 160. 

It will be clear to those skilled in the art, after perusing 
this application, that the concept of reporting information 
about message flows is quite broad, and encompasses a wide 
variety of possible alternatives within the scope and spirit of 
the invention. For example, in alternative embodiments, 
information about message flows may include bi-directional 
traffic information instead of unidirectional traffic 
information, information about message flows may include 
information at a different protocol layer level other than that 
of transport service access points and other than that at 
which the message flow is itself defined, or information 
about message flows may include actual data transmitted as 
part of the message flow itself. These actual data may 
include one or more of the following: information in packet 
headers, information about files of file names transmitted 
during the message flow, or usage conditions of the message 
flow (such as whether the message flow involves steady or 
bursty transmission of data, or is relatively interactive or 
relatively unidirectional). 

At a step 521, the routing device 140 obtains historical 
information about a particular message flow 160, and 
records that information in a flow data table. 

At a step 522, the routing device 140 determines a size of 
the flow data table, and compares that size with a selected 
size value. If the flow data table exceeds the selected size 
value, the routing device 140 continues with the step 523 to 
report flow data. If the flow data table does not exceed the 
selected size value, the routing device 140 returns to the step 
521 to obtain historical information about a next particular 
message flow 160. 

At a step 523, the routing device 140 builds an informa- 
tion packet, responsive to the information about message 
flows 160 which is recorded in the flow data table. 

At a step 524, the routing device 140 transmits the 
information packet to a selected destination device 130 on 
the network 100. In a preferred embodiment, the selected 
destination device 130 is determined by an operating param- 
eter of the routing device 140. This operating parameter is 
set when the routing device 140 is initially configured, and 
may be altered by an operator of the routing device 140. 

In a preferred embodiment, the selected destination 
device 130 receives the information packet and builds (or 
updates) a database in the format for the RMON protocol. 
The RMON protocol is known in the art of network moni- 
toring. 

At a flow point 530, a reporting device 540 on the network 
100 is disposed for reporting using information about mes- 
sage flows 160. 

At a step 531, the reporting device 540 queries the 
selected destination device 130 for information about mes- 
sage flows 160. In a preferred embodiment, the reporting 
device 540 uses the RMON protocol to query the selected 
destination device 130 and to obtain information about 
message flows 160. 

At a step 532, the reporting device 540 builds a report 
about a condition of the network 100, responsive to infor- 
mation about message flows 160. 

At a step 533, the reporting device 540 displays or 
transmits that report about the condition of the network 100 
to interested parties. 

In preferred embodiments, the report may comprise one or 
more of a wide variety of information, and interested parties 
may use that information for one or more of a wide variety 
of purposes. Some possible purposes are noted herein: 

Interested parties may diagnose actual or potential net- 
work problems. For example, the report may comprise 
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information about packets 150 in particular message flows 
160, including a time stamp for a first packet 150 and a time 
stamp for a last packet 150 in the message flow 160, a 
cumulative total number of bytes in the message flow 160, 
a cumulative total number of packets 150 in the message 
flow 160, or other information relevant to diagnosing actual 
or potential network problems. 

Interested parties may determine patterns of usage of the 
network by date and time or by location. For example, the 
report may comprise information about which users or 
which services on the network are making relatively heavy 
use of resources. In a preferred embodiment, usage of the 
network 100 is displayed in a graphical form which shows 
use of the network 100 in a false-color map, so that network 
administrators and other interested parties may rapidly 
determine which services, which users, and which commu- 
nication links are relatively loaded or relatively unloaded 
with demand. 

Interested parties may determine which services are 
accessed by particular users, or which users access particular 
services. For example, the report may comprise information 
about which services are accessed by particular users at a 
particular device on the network 100, or which users access 
a particular service at a particular device on the network 100. 
This information may be used to market or otherwise 
enhance these services. In a preferred embodiment, users 
who access a particular world wide web page using the 
HTTP protocol are recorded, and information is sent to those 
users about changes to that web page and about further 
services available from the producers of that web page. 
Providers of the particular web page may also collect 
information about access to their web page in response to 
date and time of access, and location of accessing user. 

Information about patterns of usage of the network, or 
about which services are accessed by particular users, or 
which users access particular services, may be used to 
implement accounting or billing for resources, or to set 
limits for resource usage, such as by particular users, by 
particular service providers, or by particular protocol types 
(and therefore by particular types of services). 

Interested parties may determine usage which falls within 
(or without) selected parameters. These selected parameters 
may involve access during particular dates or times, such as 
for example access to particular services during or outside 
normal working hours. For example, it may be desirable to 
record those accesses to a company database which occur 
outside normal working hours. 

These selected parameters may involve access to prohib- 
ited services, excessive access to particular services, or 
excessive use of network resources, such as for example 
access to particular servers using the HTTP protocol or the 
FTP protocol which fall within (or without) a particular 
administrative policy. For example, it may be desirable to 
record accesses to repositories of games or other recreational 
material, particularly those accesses which occur within 
normal working hours. 

These selected parameters may involve or lack of proper 
access, such as for example access control list failures or 
unauthorized attempts to access secure services. For 
example, it may be desirable to record unauthorized 
attempts to access secure services, particularly those 
attempts which form a pattern which might indicate a 
concerted attempt to gain unauthorized access. 

In alternative embodiments, the routing device 140 could 
save the actual packets 150 for the message flow 160, or 
some part thereof, for later examination. For example, a 
TELNET session (a message flow 160 comprising use of the 
TELNET protocol by a user and a host) could be recorded 
in its entirety, or some portion thereof, for later examination, 
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e.g., to diagnose problems noted with the network or with 
the particular host. 

In further alternative embodiments, the routing device 
140 could save the actual packets 150 for selected message 
flows 160 which meet certain selected parameters, such as 
repeated un-authorized attempts to gain access. 

In embodiments where actual packets 150 of the message 
flow 160 are saved, it would be desirable to perform a name 
translation (such as a reverse DNS lookup), because the IP 
addresses for the source device 120 and the destination 
device 130 are transitory. Thus, it would be preferable to 
determine the symbolic names for the source device 120 and 
the destination device 130 from the IP addresses, so that the 
recorded data would have greater meaning at a later time. 

Alternative Embodiments 

Although preferred embodiments are disclosed herein, 
many variations are possible which remain within the 
concept, scope, and spirit of the invention, and these varia- 
tions would become clear to those skilled in the art after 
perusal of this application. 

We claim: 

1. A method for routing messages in a network, said 
method comprising: 

(a) identifying a first packet of a first stream having at 
least one first routing treatment in common by search- 
ing a flow cache for a match with the first packet, and 
identifying the first packet when no match is found by 
the searching; 

(b) recording said first routing treatment when no match 
is found by the search; 

(c) identifying a second packet of said first stream of 
packets by searching the flow cache for a match with 
the second packet, and identifying the second packet 
when a match is found by the searching; 

(d) routing said second packet responsive to said first 
routing treatment; 

wherein said first stream of packets is associated with a 
selected source device and a selected destination 
device. 

2. A method as in claim 1, wherein said stream of packets 
is associated with a first selected port number at said source 
device and a second selected port number at said destination 
device. 

3. A method as in claim 1, wherein said first stream of 
packets comprises an ordered sequence, and said first packet 
has a selected position in said ordered sequence. 

4. A method as in claim 1, wherein said first stream of 
packets is transmitted between a selected pair of transport 
access points. 

5. A method as in claim 1, wherein said step of recording 
comprises building an entry in a flow cache. 

6. A method as in claim 1, further comprising (e) identi- 
fying a packet of a second stream of packets, said second 
stream of packets having at least one second routing treat- 
ment in common, said second routing treatment differing 
from said first routing treatment. 

7. A method as in claim 1, wherein said routing treatment 
comprises access control information for said first packet. 

8. A method as in claim 1, wherein said routing treatment 
comprises a destination output port for routing said first 
packet. 

9. A method as in claim 1, further comprising: 

(e) recording information about said first stream of pack- 
ets; and 

(f) transmitting said information to at least one selected 
device on staid network. 
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10. A method as in claim 9, wherein said information 
includes: 

a transmission time for an initial packet in said first stream 
of packets; 

a transmission time for a most recent one packet in said 

first stream of packets; 
a cumulative count of bytes in said first stream of packets; 

or 

a cumulative count of said packets in said first stream of 
packets. 

11. A method as in claim 9, further comprising: 

(e) receiving said information at said selected device on 
said network; 

(f) recording said information in a database at said 
selected device; and 

(g) making said information available to a second device 
on said network. 

12. A method as in claim 9, wherein said information 
includes: 

a transmission time for an initial packet in said first stream 
of packets. 

13. A method as in claim 9, wherein said information 
includes: 

a transmission time for a most recent packet in said first 
stream of packets. 

14. A method as in claim 9, wherein said information 
includes: 

a cumulative count of bytes in said first stream of packets. 

15. A method as in claim 9, wherein said information 
includes: 

a cumulative count of said packets in said first stream of 
packets. 

16. A system for routing packets in a network, said system 
comprising: 

(a) means for receiving a plurality of packets, said plu- 
rality of packets comprising a plurality of message 
flows, each message flow comprising a stream of 
packets associated with a selected source device and a 
selected destination device, each said packet being 
associated with one selected message flow, and each 
said message flow having at least one routing treatment 
in common; 

(b) means for associating packets with a first one of said 
message flows; 

(c) means for searching a flow cache for a match with said 
first one message flow; 

(d) means for inputting an entry into the flow cache 
associated with said first one message flow when no 
match is found by the searching; and 

(e) means for routing packets responsive to entries in said 
flow cache. 

17. A system as in claim 16, wherein said entry comprises 
access control information. 

18. A system as in claim 17, wherein said entry comprises 
a destination output port for routing packets. 

19. A system as in claim 16, further comprising (e) means 
for transmitting information responsive at least one said 
entry to at least one selected device on said network. 

20. A system as in claim 19, wherein said information 
includes: 

a transmission time for a first packet in each message 
flow; 

a transmission time for a most recent packet in each 

message flow; 
a cumulative count of bytes in each message flow; 
a cumulative count of a number of packets in each 

message flow. 
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21. A system as in claim 19, wherein said information 
includes: 

a transmission time for a first packet in each message 
flow. 

22. A system as in claim 19, wherein said information 
includes: 

a transmission time for a most recent packet in each 
message flow. 

23. A system as in claim 19, wherein said information 
includes: 

a cumulative count of bytes in each message flow. 

24. A system as in claim 19, wherein said information 
includes: 

a cumulative count of a number of packets in each 
message flow. 

25. Asystem for routing packets in a network, said system 
comprising: 

(a) a routing device to receive a plurality of packets, said 
plurality of packets comprising a plurality of message 
flows, each message flow comprising a stream of 
packets associated with a selected source device and a 
selected destination device, each said packet being 
associated with one selected message flow, and each 
said message flow having at least one routing treatment 
in common, wherein said routing device includes: 
(al) a routing processor to associate packets with a first 

one of said message flows; 
(a2) a flow cache having an entry associated with said 
first one message flow, wherein said routing proces- 
sor searches said flow cache for a match with said 
first one message flow and inputs the entry associ- 
ated with said first one message flow when no match 
is found by the searching; and 
(a3) the routing processor routing packets responsive to 
entries in said flow cache. 

26. Asystem as in claim 25, wherein said entry comprises 
access control information. 

27. Asystem as in claim 26, wherein said entry comprises 
a destination output port for routing packets. 

28. A system as in claim 27, wherein said routing pro- 
cessor farther transmits information responsive at least one 
said entry to at least one selected device on said network. 

29. A system as in claim 28, wherein said information 
includes: 

a transmission time for a first packet in each message 
flow; 

a transmission time for a most recent packet in each 

message flow; 
a cumulative count of bytes in each message flow; or 
a cumulative count of a number of packets in each 

message flow. 

30. A system as in claim 29, wherein said information 
includes: 

a transmission line for a first packet in each message flow. 

31. A system as in claim 29, wherein said information 
includes: 

a transmission time for a most recent packet in each 
message flow. 

32. A system as in claim 29, wherein said information 
includes: 

a cumulative count of bytes in each message flow. 

33. A system as in claim 29, wherein said information 
includes: 

a cumulative count of a number of packets in each 
message flow. 
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